Security

This page provides a list of security related tweaks and tipps.

Information on how to use a VPN and increasing your privacy by configuring your network can be found on the networking page.

Using SSH with a key instead of password

When you have SSH enabled on your phone, it is a good idea to use key-based authentication instead of password-based authentication. This is especially true in the case of numerical passwords only!

On your mobian phone install openssh-server:

sudo apt install openssh-server

If you don't have already have a private/public key pair, you want to first generate one.

ssh-keygen -t ed25519

You should probably secure your key with a password. Now copy your public key to the device

ssh-copy-id mobian@mobian

Now you can log in via SSH. Search for PasswordAuthentication in /etc/ssh/sshd_config and change it to PasswordAuthentication no.

Or run this command:

sudo sed -i "s/#PasswordAuthentication yes/PasswordAuthentication no/"  /etc/ssh/sshd_config

Also it's good to use an uncommon port for SSH to reduce noise and battery usage caused by SSH scanners on the Internet.

sudo sed -i "s/#Port 22/Port 45673/"  /etc/ssh/sshd_config

Finally restart the sshd:

sudo systemctl restart sshd

Extra note:

If you have secured your SSH key with a password and don't want to bother retyping the password for every time you reconnect with SSH, you can run:

eval $(ssh-agent)
ssh-add

Now you should not be prompted to enter your password (as long as you are running ssh from the same environment/terminal).

Disk encryption

Disk encryption is currently available through the Mobian Installer. This image can be found in the installer directory of the download page for your device. For the PinePhone for example, this is https://images.mobian-project.org/pinephone/installer/.

Encrypted /home partition

The following method uses a keyfile which will be stored on disk, so it is strongly recommended to only use in conjunction with an encrypted rootfs.

1. Copy the contents of your home directory with: sudo mkdir /tmp/mobian && sudo rsync -avz /home/mobian/ /tmp/mobian/

2. Ensure your sdcard has a single ext4 (or f2fs) partition

3. Encrypt your sdcard (WILL ERASE ALL DATA): sudo cryptsetup -h sha256 -c aes-xts-plain64 -s 512 luksFormat /dev/mmcblk0p1

4. Unlock the new encrypted partition: sudo cryptsetup luksOpen /dev/mmcblk0p1 home_crypt

5. Format the unlocked partition with ext4 (or f2fs): sudo mkfs.ext4 -m 0 /dev/mapper/home_crypt

6. Generate the keyfile which will automatically unlock the partition: sudo dd if=/dev/urandom of=/root/keyfile bs=1024 count=4 && sudo chmod 0400 /root/keyfile

7. Add the keyfile to the Luks partition: sudo cryptsetup luksAddKey /dev/mmcblk0p1 /root/keyfile

8. UUID is more specific than device block for fstab, so run sudo blkid /dev/mmcblk0p1 and copy the UUID

9. In /etc/crypttab add the following line: home_crypt /dev/disk/by-uuid/{PASTE UUID HERE} /root/keyfile luks,timeout=30

10. Add the line to /etc/fstab: /dev/mapper/home_crypt /home ext4 defaults 0 2 (If you formatted it as f2fs then replace ext4 with f2fs)

11. Mount the partition: sudo mount -t ext4 /dev/mapper/home_crypt /home

12. Copy the contents of /tmp/mobian (original home dir data): sudo rsync -avz /tmp/mobian /home/ (Trailing slashes must be exactly as written)

13. Reboot (Upon verified success, delete /tmp/mobian)

Secure boot

TODO

Daemon sandboxing

Implemented on some system daemons using unit files

Use `sudo systemd-analyze security` to check the current status

Application sandboxing

Application sandboxing can be implemented using either Bubblewrap or Firejail.

Bubblewarp is configured by wrapping the application you want to sandbox in a script which builds the sandbox. Using this method, it is possible to reproduce the isolation provided by Flatpak packages, using only first party Debian packages. For example, to sandbox Firefox, while using the mobile config and providing access to the Downloads folder, the following script could be used:

 bwrap \
--ro-bind /usr/bin/ /usr/bin/ \
--symlink usr/lib /lib \
--ro-bind /usr/lib /usr/lib \
--ro-bind /usr/share/applications /usr/share/applications \
--ro-bind /usr/share/ca-certificates /usr/share/ca-certificates \
--ro-bind /usr/share/fonts /usr/share/fonts \
--ro-bind /usr/share/glib-2.0 /usr/share/glib-2.0 \
--ro-bind /usr/share/glvnd /usr/share/glvnd \
--ro-bind /usr/share/icons /usr/share/icons \
--ro-bind /usr/share/libdrm /usr/share/libdrm \
--ro-bind /usr/share/mime /usr/share/mime \
--ro-bind /usr/share/X11/xkb /usr/share/X11/xkb \
--ro-bind /usr/share/icons /usr/share/icons \
--ro-bind /usr/share/mime /usr/share/mime \
--ro-bind /etc/fonts /etc/fonts \
--ro-bind /etc/resolv.conf /etc/resolv.conf \
--dir /run/user/"$(id -u)" \
--ro-bind /run/user/"$(id -u)"/pulse /run/user/"$(id -u)"/pulse \
--ro-bind /run/user/"$(id -u)"/wayland-0 /run/user/"$(id -u)"/wayland-0 \
--dev /dev \
--dev-bind /dev/dri /dev/dri \
--ro-bind /sys/dev/char /sys/dev/char \
--proc /proc \
--tmpfs /tmp \
--bind /home/mobian/.mozilla /home/mobian/.mozilla \
--bind /home/mobian/Downloads /home/mobian/Downloads \
--unshare-all \
--share-net \
--hostname RESTRICTED \
--setenv HOME /home/mobian \
--setenv GTK_THEME Adwaita:dark \
--setenv MOZ_ENABLE_WAYLAND 1 \
--setenv PATH /usr/bin \
--die-with-parent \
--new-session \
/usr/bin/firefox
Firejail

Like Bubblewrap, Firejail sandboxes applications and has a fairly straightforward syntax.

To install: sudo apt install firejail

To wrap an application run:

firejail CommandHere

To check on currently sandboxed applications run:

firejail –list

To setup all applications for sandboxing:

sudo firecfg

To whitelist locations to give access permission to an app, edit the application's firejail profile in /etc/firejail directory. Add this line to specify the location for access (such as Downloads directory):

whitelist /directory/fileStructure

Blacklisting access can be done by adding:

blacklist /directory/fileStructure

To firejail sandbox an application when called from its desktop button/icon, edit the application's /usr/share/applications directory .desktop file and change the line exec= to add firejail in front of the full path to the application:

exec=firejail applicationCommand

Further profile configuration can be accomplished through Firejail Configuration Tool.

Usbguard

Protects from unauthorized USB devices being connected. Provided optionally by the usbguard package. Not enabled by default.

To install: sudo apt install usbguard

/etc/usbguard/usbguard-daemon.conf is used to to configure runtime parameters of the daemon.

/etc/usbguard/rules.conf is used to define policy rules for USB devices.

This example will apply policies for any connected USB device and would only allow to operate devices that are allowed in /etc/usbguard/rules.conf.

/etc/usbguard/usbguard-daemon.conf
RuleFile=/etc/usbguard/rules.conf
ImplicitPolicyTarget=block
PresentDevicePolicy=apply-policy
PresentControllerPolicy=keep
InsertedDevicePolicy=apply-policy
AuthorizedDefault=none
RestoreControllerDeviceState=false
DeviceManagerBackend=uevent
IPCAllowedUsers=root
IPCAllowedGroups=root plugdev
IPCAccessControlFiles=/etc/usbguard/IPCAccessControl.d/
DeviceRulesWithPort=false
AuditBackend=FileAudit
AuditFilePath=/var/log/usbguard/usbguard-audit.log
HidePII=false

After installation, rules will be auto generated for all currently connected USB devices. If you are occasionally using other devices like USB hub, keyboard or mouse you'll need to plug all required devices and re-generate policy rules using:

sudo usbguard generate-policy > /etc/usbguard/rules.conf

Edit /etc/usbguard/rules.conf and simplify rules for the phone modem. Auto-generated rule doesn't always match the modem and it might be not be allowed to connect after return from a deep sleep. Leave only allow, id, serial, name, hash and parent-hash values. I.e:

allow id 2c7c:0125 serial “” name “EG25-G” hash “…” parent-hash “…”

This is important, if you dont do this, the modem might get blocked after waking from sleep, and you lose phone capability. The calls app will say something along “no voice capable modem found” and you will get a notification about a unknown usb device.

Troubleshooting:

  • Check active rules: usbguard list-rules
  • Examine /var/log/usbguard/usbguard-audit.log
Firewall

By default, mobian should not be exposing dangerous ports. However, when you install additional packages (umtp-responder, ssh, ….) you might want to enable a firewall in order to limit access to the pinephone. See here how to.

Trust

Trusting that the programs you download and execute are actually the ones the authors have written is a crucial and critical issue. And there are several steps in the chain from the authors editor to the binary on your device. To make sure the binary package you download does not contain any backdoors, malware or has been modified in any other form, the Debian project pushes Reproducible builds to make sure that a user recompiling a source package would end up with a byte-identical binary package. This is less trivial than it might sound, but it has progressed a lot. See their page for more information on that. Trusting that no-one has modified the package in transport from the Mobian or Debian repository on its way to your device (e.g. a mirror operator, a mobiles phone operator, your ISP, a wifi hotspot operator, or your favorite 3-letter agency) is done by signing all binary packages with a GPG key from either the debian or the mobian project. Only if the signature matches, the package manager will accept the binary download and install it. This way you can retrieve your updates via unsecure means, e.g. over http in a public hotspot and still be sure you get an unmodified package file.

AppArmor

See https://wiki.debian.org/AppArmor/HowToUse for install and configuration instructions.

Packages with privacy issues

Some packages in Debian (and thus mobian) have known privacy issues. Check their list for details.